Why Your Nonprofit Needs a Data Retention Policy (And How to Start One)
Most nonprofits are holding onto data they don’t need, can’t find when they do need it, and wouldn’t know how to securely dispose of if they tried.
A data retention policy fixes all three problems. It’s not a compliance exercise — it’s a practical tool that reduces your risk, simplifies your operations, and makes it easier to respond if something goes wrong.
Here’s what it is, why it matters, and how to build one without making it a major project.
What Is a Data Retention Policy?
A data retention policy is a document that answers three questions for each type of data your organization holds:
- How long do we keep it?
- Where do we keep it?
- How do we get rid of it when we’re done?
That’s it. It doesn’t have to be complicated. A one-page matrix covering your main data categories is infinitely better than nothing.
Why Nonprofits Specifically Need One
You hold sensitive data. Donor records, client information, program participant data, employee files — depending on your mission, you may be holding information about vulnerable populations, financial details, or health-related information. Data you don’t need is data that can be breached.
Funders and auditors ask for it. Increasingly, grant applications and audit processes ask whether you have data governance policies in place. Having a retention policy is a straightforward way to demonstrate organizational maturity.
Staff turnover creates data chaos. When someone leaves, what happens to their files? Their email? Their access to shared systems? A retention policy gives you a framework for answering these questions consistently.
You may have legal obligations. Depending on your state and the nature of your programs, there may be legal requirements for how long you retain certain records — financial documents, personnel files, program records. A retention policy ensures you’re meeting those requirements without having to remember them case by case.
A Simple Framework to Get Started
Divide your data into categories and assign a retention period and disposal method to each. Here’s a starting point:
| Data Type | Retain For | Disposal Method |
|---|---|---|
| Financial records | 7 years | Secure deletion |
| Grant records | 7 years after grant closes | Secure deletion |
| Donor records | Duration of relationship + 3 years | Secure deletion |
| Personnel files | 7 years after separation | Shredding / secure deletion |
| Program participant data | Per program requirements | Secure deletion |
| General correspondence | 3 years | Standard deletion |
| Board minutes | Permanent | Archive |
Adjust these based on your state’s requirements and any specific grant or regulatory obligations your organization has.
What “Secure Deletion” Actually Means
Deleting a file and emptying the trash doesn’t make it unrecoverable. For data that contains personally identifiable information, financial records, or anything sensitive, secure deletion means:
- For files on Google Drive or Microsoft 365: permanently deleting from the platform (not just moving to trash)
- For local files: using a tool that overwrites the data, not just removes the pointer to it
- For physical documents: cross-cut shredding, not recycling
- For old devices: wiping before disposal or donation, using manufacturer reset tools or dedicated software
The Three Things Most Nonprofits Get Wrong
Keeping everything forever. Storage is cheap so organizations default to keeping everything. But data you don’t need is liability you don’t need. If you don’t have a reason to keep it, delete it.
No process for departing staff. When someone leaves, their accounts should be disabled promptly, their data reviewed and either transferred or deleted per policy, and their access revoked from all systems. This should be a checklist, not an afterthought.
Forgetting about email. Email is often the richest source of sensitive data in an organization and the one most people forget to address. Include email in your retention policy and make sure your email platform’s retention settings match.
A Practical Starting Point
You don’t need a lawyer to write your first data retention policy. Start here:
- List your data categories — what kinds of information does your organization actually hold?
- Identify any legal requirements — a quick search for your state’s nonprofit record retention requirements will surface the basics
- Assign retention periods — use the table above as a starting point and adjust
- Document where each type of data lives — Google Drive? A CRM? Paper files?
- Write a one-page policy — get board approval and make it official
- Review annually — your data landscape changes as your programs evolve
Need a Template?
We’ve built data retention matrices for several nonprofit clients. If you’d like a simple template to adapt for your organization, get in touch — we’re happy to share what’s worked.